None Computing title Xylok Security Suite 20.x Security Technical Implementation Guide version 1 releaseinfo Release: 2 Vuln_Num V-269569 Rule_ID SV-269569r1155155_rule Severity medium Rule_Title Xylok Security Suite must protect application-specific data. Vuln_Discuss The /var/lib/xylok directory is essential for storing various types of data necessary for the operation and functionality of the Xylok Security Suite. It acts as a central repository for application data, ensuring that the suite can function effectively and maintain state and configuration between sessions. Proper management and protection of this directory is crucial to ensure the security and stability of the application. Check_Content Check the Xylok lib file permissions with the following command: $ ls -l /var/lib/xylok/data If the "db" directory has permissions greater than "0700", this is a finding. $ ls -l /var/lib/xylok If any file or directory has permissions greater than "0755", this is a finding. Fix_Text As root, correct permissions for xylok.conf by running: # chmod -R 0755 /var/lib/xylok # chmod -R 0700 /var/lib/xylok/data/db Not_Reviewed Vuln_Num V-269570 Rule_ID SV-269570r1053485_rule Severity medium Rule_Title Xylok Security Suite must limit system resources consumed by the application. Vuln_Discuss Not limiting system resources to Xylok presents a denial-of-service (DoS) risk. Each open instance of Xylok periodically retrieves a list of background tasks. Open sessions, even sessions not being actively used, consume a small amount of server resources and could result in Xylok becoming slow or entirely responsive. In addition, this risk impacts the host system for the container by consuming excessive CPU, allowing a DoS attack on Xylok to also impact other software hosted on the same physical machine. Satisfies: SRG-APP-000001, SRG-APP-000435 Check_Content Determine if Xylok is configured to limit its maximum CPU and memory usage with the following command, run from the host machine as a normal user: $ grep LIMIT_ /etc/xylok.conf Verify the following settings are configured: - LIMIT_MEM set to less than 100 percent of the host machine's memory. - LIMIT_CPU set to less than 1000. If any of the above settings are not present or are blank, this is a finding. Fix_Text Configure the Xylok Security Suite to limit CPU and memory usage using this procedure on the host machine. As root, open /etc/xylok.conf in a text editor. 1. Add the following settings if not present. All settings should be in the format "NAME=value". For example, the first required setting might appear as "LIMIT_MEM=4096m" in the configuration file, with no quotes. - LIMIT_MEM: Set to 2048m or greater, and less than 100 percent of the host machine's memory. - LIMIT_CPU: Set to 128 or greater, not to exceed 1000. This value can range from 1 to 1024, where 1024 allows usage of 100 percent of the CPU. 2. Save configuration file. 3. Restart Xylok to apply settings: # systemctl restart xylok Not_Reviewed Vuln_Num V-269571 Rule_ID SV-269571r1055707_rule Severity medium Rule_Title Xylok Security Suite must initiate a session lock after a 15-minute period of inactivity. Vuln_Discuss A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined and/or controlled. This is handled at the operating system-level and results in a system lock. Satisfies: SRG-APP-000003, SRG-APP-000190 Check_Content Verify session is configured to lock after 15 minutes of inactivity. Execute the following: $ grep SESSION_LENGTH /etc/xylok.conf SESSION_LENGTH=900 If "SESSION_LENGTH" is set to more than 15 minutes or is missing, this is a finding. Note: The setting is in seconds. 900 seconds = 15 minutes Fix_Text Set the session length: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend "SESSION_LENGTH=900" to the configuration file. 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok Not_Reviewed Vuln_Num V-269572 Rule_ID SV-269572r1053491_rule Severity high Rule_Title Xylok Security Suite must expire a session upon browser closing. Vuln_Discuss When the session expires as soon as the browser is closed, it prevents session hijacking and unauthorized users from accessing the account or data if they reopen the browser. Leaving a session open in the browser even after it is closed could expose the system to various types of attacks, like cross-site scripting (XSS) or malware designed to steal session cookies. Automatically expiring sessions mitigates this risk. Satisfies: SRG-APP-000005, SRG-APP-000220, SRG-APP-000295, SRG-APP-000413 Check_Content Verify session expires after browser is closed. Execute the following: $ grep SESSION_EXPIRE_AT_BROWSER_CLOSE /etc/xylok.conf SESSION_EXPIRE_AT_BROWSER_CLOSE=True If "SESSION_EXPIRE_AT_BROWSER_CLOSE" is not set to "True" or is missing, this is a finding. Fix_Text Set the session expiration: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend "SESSION_EXPIRE_AT_BROWSER_CLOSE=True" to the configuration file. 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok Not_Reviewed Vuln_Num V-269573 Rule_ID SV-269573r1054093_rule Severity high Rule_Title Xylok Security Suite must prevent access except through HTTPS. Vuln_Discuss Preventing access, except via HTTPS, ensures security and protects sensitive data. HTTP_ONLY: If true, disables listening on the HTTPS port and allows all calls to happen over HTTP. This must be set to false. HTTPS encrypts data transmitted between the client (browser) and the server. Sensitive information, such as login credentials, personal data, and session cookies, is protected from being intercepted by malicious actors (e.g., through man-in-the-middle attacks) during transmission. When data is sent over HTTP (unencrypted), it can be intercepted and altered. HTTPS mitigates this by encrypting the communication. HTTPS uses digital certificates (SSL/TLS certificates) to authenticate the server’s identity. This ensures that users are connecting to the legitimate server rather than a malicious entity attempting to impersonate the site. HTTPS-only policies enable the use of HSTS, which forces browsers to only interact with the site using HTTPS and prevents users from being redirected to an HTTP version of the site. This can defend against certain attacks, like SSL stripping, which downgrade connections to HTTP. Satisfies: SRG-APP-000014, SRG-APP-000142, SRG-APP-000219, SRG-APP-000411, SRG-APP-000412, SRG-APP-000439, SRG-APP-000440, SRG-APP-000442, SRG-APP-000514, SRG-APP-000555, SRG-APP-000645 Check_Content Verify HTTP_ONLY is set to "false": $ grep HTTP_ONLY /etc/xylok.conf HTTP_ONLY=false If "HTTP_ONLY=true" or is not configured, this is a finding. Fix_Text Add/Amend HTTP_ONLY to the configuration files: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend the following to the configuration file: HTTP_ONLY=false 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok Not_Reviewed Vuln_Num V-269574 Rule_ID SV-269574r1053497_rule Severity high Rule_Title Xylok Security Suite must use a centralized user management solution. Vuln_Discuss Configuring Xylok Security Suite to integrate with an Enterprise Identity Provider enhances security, simplifies user management, ensures compliance, provides auditing capabilities, and offers a more seamless and consistent user experience. It aligns Xylok Security Suite with enterprise standards and contributes to a more efficient and secure environment. Satisfies: SRG-APP-000023, SRG-APP-000025, SRG-APP-000026, SRG-APP-000027, SRG-APP-000028, SRG-APP-000029, SRG-APP-000033, SRG-APP-000065, SRG-APP-000080, SRG-APP-000089, SRG-APP-000090, SRG-APP-000149, SRG-APP-000150, SRG-APP-000153, SRG-APP-000154, SRG-APP-000155, SRG-APP-000156, SRG-APP-000157, SRG-APP-000163, SRG-APP-000164, SRG-APP-000165, SRG-APP-000166, SRG-APP-000167, SRG-APP-000168, SRG-APP-000169, SRG-APP-000170, SRG-APP-000173, SRG-APP-000175, SRG-APP-000176, SRG-APP-000177, SRG-APP-000180, SRG-APP-000185, SRG-APP-000291, SRG-APP-000292, SRG-APP-000293, SRG-APP-000294, SRG-APP-000318, SRG-APP-000319, SRG-APP-000320, SRG-APP-000345, SRG-APP-000391, SRG-APP-000392, SRG-APP-000401, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405, SRG-APP-000503, SRG-APP-000505, SRG-APP-000506, SRG-APP-000508, SRG-APP-000700, SRG-APP-000705, SRG-APP-000710, SRG-APP-000815, SRG-APP-000820, SRG-APP-000825, SRG-APP-000830, SRG-APP-000835, SRG-APP-000840, SRG-APP-000845, SRG-APP-000850, SRG-APP-000855, SRG-APP-000860, SRG-APP-000865, SRG-APP-000870, SRG-APP-000875, SRG-APP-000910 Check_Content Determine if Xylok is configured to use Active Directory (AD) authentication with the following command, run from the host machine as a normal user: $ grep -e "AD_SIGN_IN" -e "XYLOK_HOST" -e "AD_CLIENT_ID" /etc/xylok.conf Verify the following settings are present: - AD_SIGN_IN - XYLOK_HOST - AD_CLIENT_ID If any of the above settings are not present, blank, or "false" (case insensitive), this is a finding. Fix_Text The below procedure assumes an AD server hosted on Windows Server. For AD login using Azure AD, refer to the current Xylok Security Suite manual. Additional advice for AD configuration can also be found in the Xylok manual. Configure the Xylok Security Suite to use Active Directory login using this procedure on the host machine: 1. As root, open /etc/xylok.conf in a text editor. 2. Add the following settings if not present. All settings should be in the format "NAME=value". For example, the first required setting will appear as "AD_SIGN_IN=True" in the configuration file, with no quotes. - AD_SIGN_IN: use the value "True" - XYLOK_HOST: set to domain name used to access server on network - AD_CLIENT_ID: This is the value displayed on the ADFS server as ClientId when executing the Add-AdfsClient command - AD_SERVER: The fully qualified domain name (FQDN) of the ADFS server - AD_AUDIENCE: Set this to the value of the aud claim your ADFS server sends back in the JWT token. If this is a URL, it will be the same as the RELYING_PARTY_ID . - AD_RELYING_PARTY_ID: Set this to the Relying Party Trust identifier value of the Relying Party Trust (2012) or Web application (2016) configured in ADFS. 3. Save the configuration file. 4. Restart Xylok to apply settings: # systemctl restart xylok 5. In a web browser on a system with access to Xylok, go to https://<your xylok host>/oauth2/login. If SSO is configured correctly, it will redirect to the organization's sign-on page. Not_Reviewed Vuln_Num V-269575 Rule_ID SV-269575r1054094_rule Severity medium Rule_Title Xylok Security Suite must display the Standard Mandatory DOD Notice and Consent Banner before granting access. Vuln_Discuss Users accessing Xylok must be informed their actions might be monitored, potentially opening the organization up to legal challenges. Implementing a Consent Banner helps Xylok Security Suite remain compliant with legal requirements and protect user privacy while informing users of their rights regarding their data. Satisfies: SRG-APP-000068, SRG-APP-000069 Check_Content Verify the Standard Mandatory DOD Notice and Consent Banner has been configured: $ grep BANNER /etc/xylok.conf If the Standard Mandatory DOD Notice and Consent Banner is not displayed, this is a finding. Fix_Text Add banner to the configuration files: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend the following to the configuration file: BANNER=You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n- At any time, the USG may inspect and seize data stored on this IS.\n\n- Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n- This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy.\n\n- Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok Not_Reviewed Vuln_Num V-269576 Rule_ID SV-269576r1053503_rule Severity medium Rule_Title Xylok Security Suite must protect audit information from any type of unauthorized access. Vuln_Discuss If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In addition, access to audit records provides information an attacker could potentially use to their advantage. To ensure the veracity of audit data, the information system and/or the Xylok Security Suite must protect audit information from any and all unauthorized access. This includes read, write, and copy access. Satisfies: SRG-APP-000118, SRG-APP-000119, SRG-APP-000120, SRG-APP-000121, SRG-APP-000122, SRG-APP-000123 Check_Content Check the Xylok log file directory permissions with the following command: $ ls -l /var/log/xylok If any of the directories have permissions greater than "0770", this is a finding. Fix_Text As root, remove all global permissions for Xylok's log files by running: # chmod -R 0770 /var/log/xylok/ Not_Reviewed Vuln_Num V-269577 Rule_ID SV-269577r1053506_rule Severity high Rule_Title Xylok Security Suite must be running a supported version. Vuln_Discuss It is critical to the security and stability of Xylok to ensure that updates and patches are deployed through a trusted software supply chain. Key elements to having a trusted supply chain include ensuring that versions deployed come from known, trusted sources. Additionally, it is important to check for and apply security-relevant updates in a timely manner. To help users manage updates, Xylok manages versions via their internal portal. Satisfies: SRG-APP-000131, SRG-APP-000456 Check_Content Verify the latest install is being used. Log on to the GUI and locate the version from the lower left corner. Compare this version with the latest release on the Xylok portal (https://downloads.xylok.io). If the current version is not the latest version from the Xylok portal, this is a finding. Fix_Text Update Xylok Security Suite to the latest version. Follow the instructions found here: https://app.xylok.io/docs/01-server-admin/installation/updating/. Not_Reviewed Vuln_Num V-269578 Rule_ID SV-269578r1054098_rule Severity medium Rule_Title The Xylok Security Suite READONLY configuration must be True. Vuln_Discuss By default, the Xylok container is created not allowing users to modify any files inside the container. The only paths that can be altered are mounted from the host. Mount the database files from the host, so that the database server running inside the container can write data. If READONLY=false, then a user could go into the container as root and change other files. This approach helps protect the application from both external attacks and internal threats. Check_Content Verify that Xylok's default read-only status is disabled by using the following command: $ grep READONLY /etc/xylok.conf If "READONLY" is set to False (case insensitive), is commented out or is missing, this is not a finding. Fix_Text Revert Xylok to its default read-only configuration: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend "READONLY=True" to the configuration file. 3. Restart Xylok to apply settings: # systemctl restart xylok Not_Reviewed Vuln_Num V-269579 Rule_ID SV-269579r1053512_rule Severity medium Rule_Title Xylok Security Suite must disable nonessential capabilities. Vuln_Discuss If Xylok has unnecessary functionality enabled, the server may allow arbitrary code to run within the Xylok container. This would allow the user to potentially launch malicious acts against other hosts from inside the Xylok container. ENABLE_PP_TEST_API setting in the Xylok Security Suite refers to a configuration flag that enables a specific test API related to the policy processing (PP) functionalities of the suite. This setting is used primarily in development or testing environments to enable specific testing functionalities. Satisfies: SRG-APP-000141, SRG-APP-000246, SRG-APP-000247, SRG-APP-000384 Check_Content Verify that Xylok's default ENABLE_PP_TEST_API status is disabled by using the following command: $ grep ENABLE_PP_TEST_API /etc/xylok.conf If "ENABLE_PP_TEST_API" exists (case insensitive), this is a finding. Fix_Text Revert Xylok to its default configuration, which disables the post-processing test API: 1. As root, open /etc/xylok.conf in a text editor. 2. Delete any ENABLE_PP_TEST_API lines from configuration file. 3. Restart Xylok to apply settings: # systemctl restart xylok Not_Reviewed Vuln_Num V-269580 Rule_ID SV-269580r1053515_rule Severity medium Rule_Title The Xylok Security Suite configuration for DEBUG must be False. Vuln_Discuss Providing too much information in error messages risks compromising the data and security of the Xylok Security Suite and system. If DEBUG is set to True, it will show stack traces in error messages to assist with contact Xylok Support, but potentially reveal secure information. Check_Content Verify DEBUG is configured. Execute the following: $ grep DEBUG /etc/xylok.conf DEBUG=False If "DEBUG" is not set to False or is missing, this is a finding. Fix_Text Set DEBUG: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend "DEBUG=False" to the configuration file. 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok Not_Reviewed Vuln_Num V-269581 Rule_ID SV-269581r1054095_rule Severity medium Rule_Title Xylok Security Suite must not allow local user or groups. Vuln_Discuss Active Directory’s (AD's) design to create but not delete local groups supports operational efficiency, system integrity, and compliance needs. Manual checks will help identify user accounts that are no longer active or orphaned accounts which could pose security risks. Within Xylok there must not be a local users/groups. Manually verifying local users and groups ensures that unauthorized users do not gain access to sensitive resources. Satisfies: SRG-APP-000328, SRG-APP-000715, SRG-APP-000720, SRG-APP-000725, SRG-APP-000730, SRG-APP-000735 Check_Content Verify the local accounts and groups are associated with AD and that user privileges are correct. Check accounts as a logged in administrator in Xylok. 1. Verify there are no local users. Navigate to User Menu <username> >> Database Admin >> Users. If any local user(s) exist or users(s) are not current in AD, this is a finding. If any users have privileged access that do not require that access, this is a finding. 2. Verify there are no removed or local groups. Navigate to User Menu <username> >> Database Admin >> Groups . Verify the only groups exist are created by AD and are currently being used by AD. If any groups exist that are not actively being used by AD, this is a finding. Fix_Text Delete unused or local groups/users. 1. As a logged in administrator in Xylok, navigate to User Menu <username> >> Database Admin >> Users. 2. Select User(s) to delete. 3. Click on down arrow in "Action". 4. Select "Delete selected users" 5. Click "Go". 6. Click "Yes, I'm sure". 7. Delete Group. 8. As a logged in administrator in Xylok, navigate to User Menu <username> >> Database Admin >> Groups. 9. Select Group(s) to delete. 10. Click on down arrow in "Action". 11. Select "Delete selected users". 12. Click "Go". 13. Click "Yes, I'm sure". Not_Reviewed Vuln_Num V-269582 Rule_ID SV-269582r1053521_rule Severity medium Rule_Title The Xylok Security Suite configuration file must be protected. Vuln_Discuss Protecting the configuration file is a fundamental aspect of maintaining the security, integrity, and stability of Xylok Security Suite. By implementing robust protection mechanisms, Xylok can safeguard sensitive information, ensure compliance, and enhance operational reliability while minimizing the risks associated with unauthorized access and misconfigurations. Check_Content Check the Xylok configuration file permissions with the following command: $ ls -l /etc/xylok.conf If this file has permissions greater than "0644", this is a finding. Fix_Text As root, correct permissions for xylok.conf by running: # chmod 0644 /etc/xylok.conf Not_Reviewed Vuln_Num V-269583 Rule_ID SV-269583r1053524_rule Severity medium Rule_Title Xylok Security Suite must audit the enforcement actions used to restrict access associated with changes to it. Vuln_Discuss By default, auditing is not set up. Verifying that the host operating system generates audit records for events affecting /etc/xylok.conf is a critical security practice for Xylok. It enhances security monitoring, ensures accountability, supports compliance, maintains operational integrity, mitigates risks, and improves integration with security monitoring tools. Without auditing the enforcement of access restrictions against changes to the Xylok Security Suite configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Check_Content From the host machine as a normal user, verify the host OS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/xylok.conf" with the following command: Note: Directions are for Red Hat Enterprise Linux (RHEL) 8 and similar. If using a different OS, the steps may vary. $ sudo grep /etc/xylok.conf /etc/audit/audit.rules -w /etc/xylok.conf -p warx -k xylok_config If the command does not return a line, or the line is commented out, this is a finding Fix_Text Setting up auditing of a file in RHEL 8 involves using the auditd service and creating specific audit rules. Below are the steps to set up auditing for /etc/xylok.conf: 1. Ensure that the audit package is installed on your system by running the following: sudo dnf install audit 2. Start the auditd service if it is not already running: sudo systemctl start auditd 3. Enable the service to start automatically on boot: sudo systemctl enable auditd 4. Create an Audit Rule for the /etc/xylok.conf File: sudo auditctl -w /etc/xylok.conf -p warx -k xylok_config 5. Make the Audit Rule Persistent (optional): The rule set using auditctl will be active only until the next reboot. To make it persistent, add it to the /etc/audit/rules.d/audit.rules file. Open the file in a text editor: sudo vi /etc/audit/rules.d/audit.rules Add the rule at the end of the file: -w /etc/xylok.conf -p warx -k xylok_config 6. After making the rule persistent, restart the audit service to apply the changes: sudo systemctl restart auditd 7. The events related to the audited file will be recorded in /var/log/audit/audit.log. To view the logs, use the ausearch command: sudo ausearch -k xylok_config 8. To confirm that the rule is in place, list all current audit rules with: sudo auditctl -l Not_Reviewed Vuln_Num V-269584 Rule_ID SV-269584r1054096_rule Severity medium Rule_Title Xylok Security Suite must only allow the use of DOD Public Key Infrastructure (PKI) established certificate authorities (CAs) for verification of the establishment of protected sessions. Vuln_Discuss Untrusted CAs can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established. The DOD will only accept PKI certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Transport Layer Security (TLS) certificates. This requirement focuses on communications protection for the Xylok Security Suite session rather than for the network packet. This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOAs). Check_Content Verify that the certificate Xylok uses for SSL is correctly signed with the following command. In this command, replace "xylok.local" with the domain named used to access the Xylok instance. $ openssl s_client -showcerts -servername xylok.local -connect xylok.local:443 </dev/null CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = E5 verify return:1 depth=0 CN = xylok.local verify return:1 --- Certificate chain 0 s:CN = xylok.local i:C = US, O = Let's Encrypt, CN = E5 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384 v:NotBefore: Jun 12 16:44:03 2024 GMT; NotAfter: Sep 10 16:44:02 2024 GMT -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = E5 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- --- Server certificate subject=CN = xylok.local issuer=C = US, O = Let's Encrypt, CN = E5 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2367 bytes and written 380 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 256 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: E03F9C6A59BD7375CF86B43387C63F9BBD16EAA2A9970E64F70E20317D403D22 Session-ID-ctx: Resumption PSK: 15BFB16AF236A045FE9F5A0F64834A1B3EA76EE4185936D83560BAE940D01FF4 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 604800 (seconds) TLS session ticket: 0000 - d4 7d 77 f4 01 dd ba 65-57 59 76 e0 ab 8a 75 63 .}w....eWYv...uc 0010 - 19 6e cf 1b 44 db 35 c5-27 6b d8 b8 39 76 10 47 .n..D.5.'k..9v.G 0020 - f1 75 a5 4b 3a fb 2b 82-b9 f7 3c c5 7f 82 41 d0 .u.K:.+...<...A. 0030 - 3d 40 f1 f4 0d ef 8e 55-ee 2f 09 4b 96 d9 16 5a =@.....U./.K...Z 0040 - f2 7d cb af bd 55 4b f9-c8 2d 0d 8f 39 16 af 8c .}...UK..-..9... 0050 - 71 df 92 cc d1 1a ed 5d-71 eb a3 7f f0 8b 65 8c q......]q.....e. 0060 - 5b 16 18 0c 61 b2 cc c7-4b [...a...K Start Time: 1719438481 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK DONE If the output indicates a "verify error", Xylok is using a self-signed certificate and this is a finding. If the first certificate displayed is not a DOD-approved CA or other approved authority, this is a finding. Fix_Text Generate or acquire certificates from DOD PKI (or other approved source). Remove all files in /opt/xylok/certs. Place new certificate in PEM format at /opt/xylok/certs/cert.crt. Place new private key in PEM format at /opt/xylok/certs/key.key. Restart Xylok: systemctl restart xylok Not_Reviewed Vuln_Num V-269585 Rule_ID SV-269585r1053530_rule Severity high Rule_Title Xylok Security Suite must maintain the confidentiality and disable the use of SMTP. Vuln_Discuss Disabling the use of SMTP within the Xylok Security Suite is a strategic decision aimed at enhancing security, ensuring compliance, and reducing operational risks. By eliminating the potential vulnerabilities associated with email communications, Xylok can better protect sensitive data and maintain a robust security posture. Check_Content Verify USE_SMTP is configured by executing the following: $ grep USE_SMTP /etc/xylok.conf If "USE_SMTP" is not set to "False" or is missing, this is a finding. Fix_Text Set USE_SMTP: 1. As root, open /etc/xylok.conf in a text editor. 2. Add/Amend "USE_SMTP=False" to the configuration file. 3. Restart Xylok to apply settings by executing the following: # systemctl restart xylok Not_Reviewed Vuln_Num V-269586 Rule_ID SV-269586r1155158_rule Severity high Rule_Title Xylok Security Suite must use a central log server for auditing records. Vuln_Discuss Integrating a central log server for managing audit records within the Xylok Security Suite enhances security monitoring, incident response, and compliance efforts. By providing centralized logging, real-time analysis, and automated alerting, a central log server allows Xylok to maintain a robust security posture and effectively respond to potential threats, ultimately contributing to the organization's overall security strategy. Satisfies: SRG-APP-000745, SRG-APP-000115, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000362, SRG-APP-000363, SRG-APP-000364, SRG-APP-000365, SRG-APP-000366, SRG-APP-000367, SRG-APP-000368, SRG-APP-000369, SRG-APP-000370, SRG-APP-000376, SRG-APP-000750, SRG-APP-000755, SRG-APP-000760, SRG-APP-000765, SRG-APP-000770, SRG-APP-000775, SRG-APP-000780, SRG-APP-000785, SRG-APP-000790, SRG-APP-000795, SRG-APP-000800, SRG-APP-000805, SRG-APP-000515 Check_Content Verify that journald sends logs to rsyslog: # grep ForwardToSyslog /etc/systemd/journald.conf ForwardToSyslog=yes If ForwardToSyslog is commented out or not set to "yes," this is a finding. Verify that rsyslog is set to receive journald logs: # grep '\(imuxsock\|imjournal\)' /etc/rsyslog.conf /etc/rsyslog.d/* module(load="imuxsock") # provides support for local system logging module(load="imjournal") # provides access to the systemd journal If either module is not present or disabled, this is a finding. # grep '[[:space:]]@.*' /etc/rsyslog.conf /etc/rsyslog.d/* *.* @@yoursiem:1234 If rsyslog is not configured to forward logs to a central SIEM server, this is a finding. Fix_Text Edit /etc/systemd/journald.conf to include at least these lines: [Journal] ForwardToSyslog=yes Edit /etc/rsyslog.conf to include these lines: module(load="imuxsock") # provides support for local system logging module(load="imjournal") # provides access to the systemd journal *.* @@yoursiem:1234 Ensure yoursiem:1234 points to the correct host and port for your network. Restart journald and rsyslogd: # systemctl restar rsyslog systemd-journald Not_Reviewed Vuln_Num V-269740 Rule_ID SV-269740r1054081_rule Severity medium Rule_Title Xylok Security Suite must use a valid DOD-issued certification. Vuln_Discuss Without the use of a certificate validation process, the site is vulnerable to accepting certificates that have expired or have been revoked. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process. Check_Content Verify the Xylok Security Suite is using a valid DOD-issued certification with the following command: $ openssl x509 -noout -text -in /opt/xylok/certs/cert.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 Validity Not Before: Mar 20 18:46:41 2012 GMT Not After : Dec 30 18:46:41 2029 GMT Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 Subject Public Key Info: Public Key Algorithm: rsaEncryption If the Issuer is not an approved authority, this is a finding. Fix_Text 1. Obtain DOD root certificate authority (CA)-signed certificate for the domain or generate a certificate using other approved provider. 2. Install the certificate in x509 format at /opt/xylok/certs/cert.crt 3. Restart Xylok: systemctl restart xylok Not_Reviewed